2
3
4
6 flow-nfilter — Filter flows.
7
9 flow-nfilter [-hk] [-b big|little] [-C comment] [-d debug_level]
10 [-f filter_fname] [-F filter_definition] [-v variable binding] [-z
11 z_level]
12
14 The flow-nfilter utility will filter flows based on user selectable
15 criteria. Filters are defined in a configuration file and are composed
16 of primitives and a definition. Definitions contain match lines
17 grouped to form logical AND and OR operations on the flow using the
18 selected primitives. A definition may contain the invert command which
19 will invert the result of the evaluation.
20
21 Words in the configuration file of the form @VAR or @{VAR:-default}
22 will be expanded at run-time by setting variable names with the -v
23 option.
24
25 Filter primitives begin with the filter-primitive keyword followed by a
26 symbolic name. Each primitive has a type defined below. A list of
27 permit and or deny keywords followed by an argument are later evaulated
28 to determine if the flow is permitted or denied. The default action
29 for a primitive is to deny which may be changed with the default key‐
30 word. Symbolic substitutions are done where appropriate.
31
32 The match keyword in a definition selects the criteria to match a prim‐
33 itive. A match type may allow more than one type of primitive, for
34 example the src-ip-addr match type will accept any of {ip-address, ip-
35 address-mask, ip-address-prefix} primitive types.
36
37 Primitive type Type Description/Example
38 -------------------------------------------------------------------
39 as Bucket Autonomous System Number.
40 600,159,3112
41
42 ip-address-prefix-len Numeric Integer from 0 to 32.
43 16-31
44
45 ip-protocol Bucket Integer from 0 to 255.
46 6,17,1
47
48 ip-tos Bucket Integer from 0 to 255 with mask.
49 0xA0/0xE0
50
51 ip-tcp-flags Bucket Integer from 0 to 255 with mask.
52 0x2/0x2
53
54 ifindex Bucket Integer from 0 to 65535
55 0,5,10
56
57 engine Bucket Integer from 0 to 255.
58 0
59
60 ip-port Bucket Integer from 0 to 65535.
61 80,8080,23,22
62
63 ip-address Hash List of IP Addresses.
64 10.0.0.1
65
66 ip-address-mask List List of IP address/mask pairs.
67 10.1.0.0 255.255.0.0
68
69 ip-address-prefix Trie List of IP address/mask pairs.
70 10.1/16
71
72 tag Hash List of tags.
73 0xFF00
74
75 tag-mask List List of tags.
76 0xF000/0xFF00
77
78 counter List List of Integers with qualifier.
79 lt 32
80
81 time List List of relative time specifiers.
82 gt 5:00
83
84 time-date List List of absolute time specifiers.
85 gt December 12, 2002 5:13:21
86
87 double List List of doubles with qualifier.
88 lt 32.0
89
90 rate Element Rate is calculated as 1/rate.
91 permit 100
92
93
94
95 Match type Description Primitives accepted
96 -------------------------------------------------------------------
97 source-as Source AS as
98
99 destination-as Destination AS as
100
101 ip-source-address Source IP Address ip-address,
102 ip-address-mask,
103 ip-address-prefix
104
105 ip-destination-address Destination IP Address ip-address,
106 ip-address-mask,
107 ip-address-prefix
108
109 ip-exporter-address Exporter IP Address ip-address,
110 ip-address-mask,
111 ip-address-prefix
112
113 ip-nexthop-address NextHop IP Address ip-address,
114 ip-address-mask,
115 ip-address-prefix
116
117 ip-shortcut-address Shortcut IP Address ip-address,
118 ip-address-mask,
119 ip-address-prefix
120
121 ip-protocol IP Protocol ip-protocol
122
123 ip-source-address-prefix-len
124 Source IP address ip-address-prefix-len
125 prefix length
126
127 ip-destination-address-prefix-len
128 Destination IP address ip-address-prefix-len
129 prefix length
130
131 ip-tos IP Type Of Service ip-tos
132
133 ip-marked-tos IP Type Of Service ip-tos
134
135 ip-tcp-flags IP/TCP Flags ip-tcp-flags
136
137 ip-source-port Source IP Port ip-port
138 eg TCP/UDP
139
140 ip-destination-port Destination IP Port ip-port
141 eg TCP/UDP
142
143 input-interface Source ifIndex ifindex
144 eg Input Interface
145
146 output-interface Destination ifIndex ifindex
147 eg Output Interface
148
149 start-time Start Time of flow time, time-date
150
151 end-time End Time of Flow time, time-date
152
153 flows Number of flows counter
154
155 octets Number of octets counter
156
157 packets Number of packets counter
158
159 duration Duration of flow in ms counter
160
161 engine-id Engine ID engine
162
163 engine-type Engine Type engine
164
165 source-tag Source Tag tag, tag-mask
166
167 destination-tag Destination Tag tag, tag-mask
168
169 pps Packets Per Second double
170
171 bps Bits Per Second double
172
173 random-sample Random Sample rate
174
176 -b big|little
177 Byte order of output.
178
179 -C Comment
180 Add a comment.
181
182 -d debug_level
183 Enable debugging.
184
185 -f filter_fname
186 Filter list filename. Defaults to /var/flow-tools/cfg/fil‐
187 ter.
188
189 -F filter_definition
190 Select the active definition. Defaults to default.
191
192 -h Display help.
193
194 -k Keep time from input.
195
196 -v variable binding
197 Set a variable FOO=bar.
198
199 -z z_level
200 Configure compression level to z_level. 0 is disabled (no
201 compression), 9 is highest compression.
202
204 time-date parsing is implemented with getdate.y, a commonly used func‐
205 tion to process free-form time date specifications. Example usage bor‐
206 rowed from cvs:
207 1 month ago
208 2 hours ago
209 400000 seconds ago
210 last year
211 last Monday
212 yesterday
213 a fortnight ago
214 3/31/92 10:00:07 PST
215 January 23, 1987 10:05pm
216 22:00 GMT
217
219 An example of filter configuration file.
220
221 filter-primitive srate
222 type rate
223 permit 100
224
225 filter-primitive test-as
226 type as
227 permit 600,159
228
229 filter-primitive test-prefix-len
230 type ip-address-prefix-len
231 permit 32
232
233 filter-primitive test-protocol
234 type ip-protocol
235 permit tcp
236
237 filter-primitive test-tos
238 type ip-tos
239 mask 0xA0
240 permit 0xE0
241
242 filter-primitive test-tcp-flags
243 type ip-tcp-flags
244 mask 0x2
245 permit 0x2
246
247 filter-primitive test-ifindex
248 type ifindex
249 permit 0,5,10
250
251 filter-primitive test-engine
252 type engine
253 permit 0
254
255 filter-primitive test-port
256 type ip-port
257 permit https
258 permit 80
259 default deny
260
261 filter-primitive test-address
262 type ip-address
263 permit 0.0.0.1
264 permit 0.0.0.2
265 default deny
266
267 filter-primitive test-address-mask
268 type ip-address-mask
269 permit 128.146.197.1 255.255.255.255
270 permit 128.146.197.2 255.255.255.255
271
272 filter-primitive test-prefix
273 type ip-address-prefix
274 permit 128.146.0.0/16
275 default deny
276
277 filter-primitive test-tag
278 type tag
279 permit 0x00
280 permit 0x01
281 permit 0xFF
282
283 filter-primitive test-tag-mask
284 type tag-mask
285 permit OSU 0xFF
286 permit 0xFF 0xFF
287 default deny
288
289 filter-primitive test-counter
290 type counter
291 permit lt 5
292 permit gt 10
293 default deny
294
295 filter-primitive test-time-date
296 type time-date
297 permit gt December 12, 2002 5:13:21
298
299 filter-primitive test-time
300 type time-date
301 permit gt 12:15:00
302
303 filter-definition sample-1-in-100
304 match random-sample srate
305
306 filter-definition t1
307 match engine-type test-engine
308 or
309 match destination-tag test-tag-mask
310
311 Display all flows with a destination port of 80 or source port of 25
312 (smtp) starting after Dec 12, 2001. The file test is populated with
313 the following:
314
315
316 filter-primitive port80
317 type ip-port
318 permit 80
319
320 filter-primitive port25
321 type ip-port
322 permit smtp
323
324 filter-primitive dec12
325 type time-date
326 permit gt Dec 12, 2001
327
328 filter-definition foo
329 match ip-source-port port80
330 match start-time dec12
331 or
332 match ip-destination-port port25
333 match start-time dec12
334
335 flow-cat flows | flow-nfilter -ftest -Ffoo | flow-print
336
338 Configuration files:
339 Symbols - /var/flow-tools/sym/*.
340 Tag - /var/flow-tools/cfg/tag.cfg.
341 Filter - /var/flow-tools/cfg/filter.cfg.
342
344 None known.
345
347 Mark Fullmer maf@splintered.net
348
350 flow-tools(1)
351
352
353
354 flow-nfilter(1)